For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mikeshimkus_111's avatar
mikeshimkus_111
Historic F5 Account
Aug 10, 2015

Hi Greg, SSO for non-OWA services is controlled by the APM Exchange profile, which is located under Access Policy ›› Application Access : Microsoft Exchange in the GUI.

 

The OWA SSO is selected using the _select_sso_irule created by the iApp. When the rule encounters the OWA URI, it uses WEBSSO::select to pick the forms SSO.

 

  • Greg_130338's avatar
    Greg_130338
    Icon for Nimbostratus rankNimbostratus
    Aug 10, 2015
    OK I think I figured it out. I created an iApp for internal connections using an internal IP for the VS. Once I did that I created an external iApp but I reused the same APM policy I had created using the previous iApp creation. Is this not recomended? I compared the irules associated with both and the external VS definitely does not have that SSO irule for OWA in it. I am still failing on the NTLM auth for full outlook clients which worked previously. Frustrating!
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Aug 10, 2015
    I wouldn't reuse the APM configuration from the previous deployment. You should let the iApp create a new set of objects.
  • Greg_130338's avatar
    Greg_130338
    Icon for Nimbostratus rankNimbostratus
    Aug 10, 2015
    Roger. I think that's where I am at at this point. I may just rebuild both iApps and start over. Thanks for the assistance. For the NTLM auth I am now getting auth failures logged on the F5, NO LOGON SERVERS AVAILABLE. this is through the kerberos SSO config. it gives an error, could not verify user (alot of characters). which is followed by a bunch of failed auth errors for my userID. My DC is definitely up and the delegated kerberos account is not locked. Ever seen that before? This was definitely working a few days ago.
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Aug 10, 2015
    Is the time on both your APM and domain controllers sync'd up? Do you still meet all the other requirements, for example is reverse DNS still good for your pool members and do you have the SPNs set correctly for the delegation account?
  • Greg_130338's avatar
    Greg_130338
    Icon for Nimbostratus rankNimbostratus
    Aug 10, 2015
    yes I followed that documentation. the PTR records exist for the host names of my exchange servers, should there be PTR records for the URL used to access the Outlook Anywhere service as well? for example we have host1.domain.com and host2.domain.com but should we also have two PTR's for email.domain.com pointing to both mail servers IP addresses? I'm trying to find that document now that walked through all the steps to double check that nothing has changed.
  • Greg_130338's avatar
    Greg_130338
    Icon for Nimbostratus rankNimbostratus
    Aug 10, 2015
    NM it is documented at the bottom of the iApp documentation. Right so PTR's only need return hostnames, not the mail URL which we do have set. I also ensured we gave the account proper permissions. All was working well Friday and now I keep getting that failure that no logon servers are available. Need to up the logging to see what I see.
  • Greg_130338's avatar
    Greg_130338
    Icon for Nimbostratus rankNimbostratus
    Aug 12, 2015
    Thanks for the responses Mike. I did some debugging and here is where I am at. Everything is working except external Outlook Anywhere clients. See my last post. https://devcentral.f5.com/s/feed/0D51T00006i7bMKSAY